New Admin Alert Management tool and UI to view and manage all user alerts.

New filter called Does Not Exist to find events that do not contain some specified field.

Support for Datastore Device ID-to-name aliasing in event queries and results.

New "blur" on session timeout.

Server Features

Support for Syslog octet-framing over TCP.

Defined REST APIs for installing Log Insight servers and clusters.

Support for time ranges with Event Type alert queries.

Agent and Importer Features

SLES 11 SP3 and SLES 12 SP1 are supported for Linux agents.

The dateext (daily extension) option of logrotate is now supported.

SSL for the vRealize Log Insight agent is now enabled by default.

Content Pack Features

Users can now subscribe to content pack alerts that allow automated updates inline with the associated content pack.

Changed Behavior

New Agent installations have SSL enabled by default. Previously, Agent installs defaulted to SSL off. Upgrading does not affect current SSL settings.

New event forwarder destinations now default to verifying SSL certificates. Previously, SSL certificates were not verified by default. Upgrading does not affect current settings.

vRealize Log Insight for vCenter now allows you to change SSL settings.

For content pack alerts instantiated in 4.0, content pack updates now automatically update alert definitions. If needed, you can preserve customizations by exporting them and then importing them back into the user profile after the update is applied.

Compatibility

vRealize Log Insight can pull events, tasks, and alarms data from VMware vCenter Server 5.5 or later. Support for 5.0 and 5.1 has been removed. See http://kb.vmware.com/kb/2145103 for more information.

You can integrate vRealize Log Insight 4.0 with vRealize Operations Manager version 6.0 or later.

Browser Support

vRealize Log Insight 4.0 version supports the following browser versions. More recent browser versions also work with vRealize Log Insight, but have not been validated.

Mozilla Firefox 45.0 and above

Google Chrome 51.0 and above

Safari 9.1 and above

Internet Explorer 11.0 and aboveNote: Internet Explorer Document mode must be used in Standards Mode. Other modes are not supported. The Compatibility View browser mode is not supported.

vRealize Log Insight does not support printing. However, you can use the Print options of your browser. The printed results might vary depending on the browser that you use. We recommend Internet Explorer or Firefox for printing portions of the vRealize Log Insight user interface.

The hosts table might display devices more than once with each in a different format, including some combination of IP address, hostname, and FQDN. For example, a device named foo.bar.com might appear as both foo and foo.bar.com.

The hosts table uses the hostname field that is defined in the syslog RFC. If an event sent by a device over the syslog protocol does not have a hostname, vRealize Log Insight uses the source as the hostname. This might result in the device being listed more than once because vRealize Log Insight cannot determine if the two formats point to the same device.

vRealize Log Insight Windows and Linux Agents

Non-ASCII characters in hostname/source fields are not delivered correctly when vRealize Log Insight Windows and Linux agents are running in syslog mode.

vRealize Log Insight Windows Agent

The vRealize Log Insight Windows agent is a 32-bit application and all its requests for opening files from C:\Windows\System32 sub-directories are redirected by WOW64 to C:\Windows\SysWOW64. However, you can configure the vRealize Log Insight Windows agent to collect from C:\Windows\System32 by using the special alias C:\Windows\Sysnative. For example, to collect logs from their default location for the MS DHCP Server, add the following line to the corresponding section of the vRealize Log Insight Windows agent configuration file: =C:\Windows\Sysnative\dhcp.

vRealize Log Insight Linux Agent

Due to an operating system limitation, the vRealize Log Insight Linux agent does not detect network outages when configured to send events over syslog.

The vRealize Log Insight Linux agent does not support non-English (UTF-8) symbols in field or tag names.

The vRealize Log Insight Linux agent collects hidden files and directories by default. To prevent this, you must add an exclude=.* option to every configuration section. The option exclude uses the glob pattern .* which represents hidden file format.

When standard output redirection to a file is used to produce logs, the vRealize Log Insight agent might not correctly recognize event boundaries in such log files.

Active Directory

vRealize Log Insight does not support multiple domains for Active Directory login when they are not trusted domains.

Upgrading from a Previous Version of vRealize Log Insight

Important

When performing a manual upgrade, workers must only be upgraded one at a time. Upgrading multiple workers at the same time causes an upgrade failure. When you upgrade the master node to vRealize Log Insight 4.0, a rolling upgrade occurs unless specifically disabled.

Upgrading to vRealize Log Insight 4.0 must be done from the master node's FQDN. Upgrading with the Integrated Load Balancer IP address is not supported.

The client browser from which the upgrade is started from must be able to access the master node on ports 80 or 443.

vRealize Log Insight does not support two-node clusters. Add a third vRealize Log Insight node of the same version as the existing two nodes before performing an upgrade.

Limitations

The agent installer and content pack are not localized. Parts of the vRealize Log Insight server Web user interface might still show strings and have layout issues.

vRealize Log Insight is interoperable with localized versions of vCenter Server and vRealize Operations Manager. However, Content Packs depend on matching non-localized log messages. vCenter Server events are retrieved in its default locale, which should be set to en_US. For more information, see http://kb.vmware.com/kb/2121646.

Integration with Active Directory, vSphere and vRealize Operations Manager for user names with non-ASCII characters is not supported.

The date/time calendar format shown on the vRealize Log Insight server Web user interface is English only and does not display language/locale settings.

Localization of event logs is not supported. Event logs only support UTF-8 and UTF-16 character encoding

Resolved Issues

This section describes issues that have been resolved since the vRealize Log Insight 3.6 release.

Known Issues

Event forwarding stops working after upgrading deployments that use SSL.
JRE is upgraded as part of vRealize Log Insight upgrade. For sites configured with SSL, certificate information remains
stored in the old JRE version therefore the certificate cannot be retrieved for the upgraded installation and event forwarding fails.
Workaround: Reimport the certificate using the procedure "Configuring vRealize Log Insight Event Forwarding
with SSL" in the vRealize Log Insight documentation center.

Built-in groups have authentication issues
There have been reports that some customers have found issues in group-based Active Directory authentication against active directory built in groups. The issue has been reproduced and a fix is being researched.Workaround: None currently.

The login splash screen for vRealize Log Insight does not display correctly in Internet Explorer 11 on Windows 10.
The login area appears correctly, but the background pattern is not displayed.Workaround: None.

A failure to export event results might occur intermittently.
In cases of a large number of query result, some results might not be exported normally or the export file might be empty. Workaround: See http://kb.vmware.com/kb/2145923 for more information on workarounds.

Custom extracted field not displaying all log messages.
When you are creating the extracted field, the display field indicates errors or alerts that are found based on the expressions configured within the field. However, the extracted field is applied anyway.Workaround: None.

High CPU Usage when agent is collecting large number of files.
When you are collecting a large number of logs, vRealize Log Insight might have a very high CPU usage.Workaround: Filter out unwanted log files from being collected.

The dashboard field links are displaying values that differ from what the event is displaying.
The dashboard field links are displaying values that differ from what the event is displaying. The value is either incorrect or displays an unknown value of 'row14-c.' Examples include vmw_vcenter and vmw_cluster.Workaround: None.

After upgrading, vRealize Log Insight virtual machines might generate a high number of disk iops.Workaround: This is expected as vRealize Log Insight performs background work post-upgrade. This process may take several hours or even days to complete.

The Join Log Insight cluster operation appears to fail.
Increasing vRealize Log Insight cluster size appears to fail with multiple spurious service group entries in the daemon section of config.Workaround: Remove spurious service group entries from daemon section of config.

When "Autoconfig is in use" is selected the TCP/Syslog protocol is not applied correctly with vCenter Server integration..
The protocol type for a vCenter integration with vRealize Log Insight is selected and displayed on the #admin/vsphere page. When you select TCP/Syslog protocol and set "Autoconfig" and save the configuration, after a few seconds or just by moving to another page, UDP may be shown as the selected/used protocol, The protocol type is changed on the VC side also.Workaround:None.

Upgrade fails when the /storage/var partition is full.
Cluster nodes can enter a disconnected state when the /storage/var partition is full.

When the /storage/var partition is full, it may result in failed upgrades and cause cluster nodes to intermittently enter a disconnected state. The loginsight_daemon_stdout.log file in the partition has been known to grow to a very large size and can be safely deleted.

For upgrade failure, this is indicated by a no space on device message in the upgrade.log file.

For nodes, you might see the message Internal Server Error when you open the interface from a VIP address or IP address of an affected node. For unaffected nodes, the user interface remains accessible. The admin/cluster page shows the disconnect status for affected nodes.

Workaround: Manually clean up the log file, restart services on affected nodes, and retry the operation.

Run the du command on the Log Insight cluster nodes to verify that one or more nodes show the /storage/var partition is is 100% full.

Log into the appliance as root user.

Run the command rm /storage/var/loginsight/loginsight_daemon_stdout.log to delete the log file.

Run the command /etc/init.d/loginsight stop && /etc/init.d/loginsight start to restart the loginsight service.​​